The Future of Cyber Defense: Autonomous Proactive Resilience through System-Centric AI

In light of the complex cybersecurity challenges faced in 2025, the role of data-driven research must evolve beyond traditional detection. At SNSec Lab, we are setting a new mission: to build Autonomous Proactive Resilience through deep integration of system-level intelligence and advanced AI.

The Mission: Autonomous Proactive Resilience through System-Centric AI

1. Core Philosophy: System-Internal Observability as the Foundation

Although many existing studies focus on network traffic or application-level logs, our research emphasizes a deep understanding of Operating System internals across Linux, Windows, and macOS. Our objective is to shift the paradigm from analyzing post-mortem logs (what happened) to monitoring runtime kernel-level states (what is happening).

To achieve this, we utilize eBPF (Linux), ETW (Windows), and Endpoint Security Framework (macOS) to feed real-time system state vectors into deep learning models. This approach enables us to capture the “causal chain” of an attack—such as a specific process execution linked to a hidden network socket—rather than analyzing isolated events in a vacuum.

2. From Reactive Detection to Proactive Threat Hunting

The major cyber incidents of 2025 succeeded largely by exploiting the “detection gap”—the critical window between initial access and discovery. We aim to close this gap by developing Predictive Threat Hunting capabilities.

Instead of scanning for known attack signatures, we develop AI models that monitor “System Entropy.” By learning the baseline behavior of complex server-side environments, our models can flag “Pre-Attack Indicators”—such as nuanced changes in memory access patterns or unexpected privilege escalations—effectively neutralizing threats before the final payload is executed.

3. Multi-Modal Foundation Models for Comprehensive Defense

Building on our expertise in server-side log analysis and deep learning, we are moving toward holistic system modeling. Our goal is to transcend single-stream analysis by developing a Cyber-Security Foundation Model (SecFM).

Just as Large Language Models (LLMs) understand natural language, we aim to develop models that comprehend the “Grammar of System Behavior.” By co-embedding Network Metadata, System Telemetry, and Application Logs, our SecFM performs Causal Reasoning to automatically interpret the attack lifecycle—determining how an intruder breached the network and predicting their next lateral move.

4. Real-Time Autonomous Infrastructure Assessment

The ultimate role of our research is to eliminate the human bottleneck in security operations (SoC). We envision a Self-Assessing Infrastructure driven by AI.

We are developing models that generate a continuous “Cyber Health Score” for live systems. Unlike static vulnerability scans, this provides a real-time assessment of the “Insecurity Delta,” quantifying how much the current system state has drifted from its trusted baseline, thereby enabling autonomous integrity assurance.